Scaling bitcoin with sidechains

One of bitcoin’s critical challenges to overcome on the way to “mainstream adoption” is scalability. Debates over how to scale bitcoin came to a head in 2017, with the Segwit2x proposal and later the BCH hard fork occurring just months before the historical peak of bitcoin’s transaction fee market.

Source: https://bitinfocharts.com/comparison/bitcoin-transactionfees.html

In short, those opposed to segwit but in favor of a block size increase created a new altcoin called BCH (also lovingly referred to as “bcash” by the bitcoin community) while those who supported both segwit and a block size increase continued on with their plan to implement a hard fork called Segwit2x, right up until they capitulated and cancelled the hard fork at the last minute. Meanwhile, segwit activated on bitcoin in August 2017, effectively doubling the bitcoin block size limit and fixing transaction malleability, thus making the Lightning Network safer to use and making potential future block size limit increases safer too.

However, even with segwit activated and the Lightning Network now live on mainnet, scalability remains a challenge for bitcoin. Simple block size limit increases are not a sustainable scaling solution due to the way this increases the resources required for full nodes to enforce consensus rules. This increased resource requirement would push the network towards a model where more users have to trust third parties to ensure the validity of bitcoin blocks and confirm incoming transactions. If we increase the block size limit to accommodate the eventual billions of people that (I assume) we hope to have using bitcoin, the system would be all but guaranteed to be centralized under the control of a very small handful of easily captured data centers. That is, to me, an unacceptable outcome for a p2p trust-minimized ecash system as bitcoin is intended to be.

If simple block size limit increases cannot sustainably scale bitcoin to support billions of users, what can? As mentioned, we now have the Lightning Network live on mainnet. The Lightning Network is a bidirectional payment channel network that enables users to pass around unconfirmed bitcoin transactions off-chain with a high degree of certainty that the bitcoin cannot be double-spent. This certainty is provided by penalty transactions that payment recipients can use to penalize any senders who try to double-spend them.

However, the Lightning Network is fundamentally limited by bitcoin scalability in two ways: first, bitcoin’s on-chain transaction capacity limit also limits the number of Lightning channels that can be opened. There will always be a need to onboard users, increase channel limits, rebalance channels, close channels on-chain for various reasons, all of which consumes limited block space. Then there’s the issue of “flood and loot” style attacks that attackers can use to exploit bitcoin’s limited block space and steal funds from the Lightning Network.

We seem to be at an impasse: bitcoin cannot scale only by increasing the block size limit, because this would result in unacceptable centralization of the network. And bitcoin cannot scale only with the Lightning Network because the bitcoin block size limit is too low to be safe under conditions of block space congestion. What remaining options are there?

In 2010 noted cypherpunk and first bitcoin transaction recipient Hal Finney wrote that he envisioned bitcoin scaling off-chain using bitcoin-backed IOUs issued by bitcoin banks. He wrote:

I believe this will be the ultimate fate of Bitcoin, to be the “high-powered money” that serves as a reserve currency for banks that issue their own digital cash. Most Bitcoin transactions will occur between banks, to settle net transfers. Bitcoin transactions by private individuals will be as rare as… well, as Bitcoin based purchases are today.

Like much of Hal’s bitcoin commentary, his views of scaling were prescient. Though he did not specify exactly how these bitcoin banks would work and what protocols they would use for issuing digital cash, it’s likely that what he had in mind looked something like DigiCash, a centralized attempt in the mid-1990s to create bank-issued electronic cash using DigiCash founder David Chaum’s blind signature technology. However in the decade since Hal’s comments about scaling bitcoin, there have been several innovations that can bring his vision to reality without Bitcoiners giving up control of their sats to centralized bitcoin banks. One of these innovations in particular has the potential to enable virtually unlimited scalability while avoiding the centralization risks posed by bitcoin banks. That innovation is sidechains.

In 2014 Back et al published the first sidechains whitepaper. In their paper, Back et al describe a new technique for locking sats on the mainchain and issuing an equivalent amount of sats on another blockchain running alongside bitcoin (a “sidechain“). These sidechain sats would be “pegged” to mainchain sats because they could always be redeemed 1:1 for sats on the mainchain, creating a “two-way peg“. Back et al described using a Simplified Payment Verification protocol to enable bitcoin full nodes to verify when sats have been successfully “withdrawn” from the sidechain, triggering a release of an equivalent amount of sats on the mainchain. The sidechains whitepaper was initially met with much excitement, but the SPV design described in the whitepaper required a soft fork to bitcoin to work, and there were concerns among some developers about how this mechanism would affect bitcoin incentives. Interest in the bitcoin community eventually shifted to the more immediately viable segwit and Lightning.

Recently, however, there has been something of a “sidechain rennaissance”, with developers experimenting with sidechain designs of various kinds, pushing the boundaries of the technology and stress-testing various trust and security models that make pegged sidechains possible.

In January 2018 the company IOVLabs helped launch RSK, a sidechain that is merge-mined with bitcoin. RSK implemented a permissioned, federated two-way peg secured by trusted hardware security modules, which, while arguably a regression from the permissionless design described in the sidechains whitepaper, nonetheless demonstrated a viable sidechains model compatible with existing bitcoin consensus rules. Later in 2018, Blockstream, a company founded by several authors of the sidechains whitepaper, launched a permissioned sidechain called Liquid, which also implemented a federated peg secured by trusted hardware.

More recently, in February 2019 the Nomic project implemented a permissionless sidechain design that is compatible with existing bitcoin consensus rules. In Nomic, sats destined for the sidechain are held on the mainchain by at most 76 “signatories” who are selected based on the weight of their “voting power” on the Nomic sidechain. Voting power on Nomic is earned by mining “hashcoins” using proof-of-work and staking them on the sidechain. If a signatory tries to steal the sats held in their custody then their hashcoin stake will be slashed or frozen by Nomic full nodes. This makes the Nomic sidechain secure to use so long as the value of sats held in the custody of signatories is less than the value of 2/3+1 of the hashcoins at stake.

There are other permissionless sidechain designs under development that could provide even more flexibility and stronger security guarantees than either Liquid or RSK’s permissioned pegs or the Nomic permissionless peg. The main downside is that, like the SPV model described in the original sidechains whitepaper, these other designs require changes to bitcoin’s consensus rules in order to be implemented on the bitcoin mainchain.

Drivechain is one such design that has been under development since 2016. Drivechain uses a novel technique called “hashrate escrow”, previously described on this blog here, to enforce the two-way peg. If miners securing the hashrate escrow try to steal sats in their custody then bitcoin full nodes can react by organizing a UASF to stop the theft from happening. Due to this threat, combined with the possibility that such an attack could kill market confidence in the Drivechain mechanism and sharply diminish future revenues from drivechains, it’s expected that rational miners will not attempt to corrupt and steal sats from the hashrate escrow.

Zendoo is another permissionless sidechain design recently published in January 2020 that shows promise but also requires changes to bitcoin consensus before it can be implemented on bitcoin mainnet. In Zendoo, users first deposit sats into a sidechain deposit address and are then credited with an equivalent amount of sats on the sidechain. To withdraw sats from the sidechain back to the mainchain, users generate a special zero knowledge proof called a zk-SNARK that proves a valid withdrawal and allows them to redeem their sidechain sats for an equivalent amount of mainchain sats, even if the sidechain miners are totally uncooperative.

What these sidechain developments show is that it is now possible — and could soon be even more secure — to 1) deposit sats into the custody of multiple parties (potentially including the depositor) such that no single party has the power to steal those funds and 2) track ownership of these sats on a publicly verifiable ledger, similar to the bitcoin blockchain, so that these sats can be transferred around without any intermediate transfers needing to be confirmed on the bitcoin mainchain. Multiple trust models have been devised along a spectrum that provides users with cost/efficiency/centralization/security tradeoffs, offering far more and better options than the “bitcoin banks” of old.

So how do sidechains help with scalability? The basic idea is that while decentralized blockchains like bitcoin are not by themselves scalable, sidechains provide an environment where different scalability/trust/decentralization tradeoffs can be explored. Maybe for low-value payments a sidechain with a higher block size limit is acceptable. Or, if users show a preference for using blockchains they can verify themselves while still avoiding the high costs and limited functionality of the bitcoin mainchain, they can opt-in to a sidechain network where each sidechain keeps a low block size limit and new sidechains are simply added to the network each time fees start to consistently go above some pre-established ceiling. Each new sidechain then helps alleviate fee pressure on the existing sidechains as fee-sensitive users migrate over.

Initially it would seem like this network of sidechains could become unwieldy to users. But much of the complexity can be abstracted away with good wallet design. For example, to ensure that it remains easy for users on one sidechain to pay users on another sidechain, a payment invoice standard could be developed that contains the recipient’s address, the ID of the sidechain they’re using, the asset, and the amount. The sender’s payment can then be automatically routed using a cross-chain atomic swap protocol like Interledger or OpenDEX so it gets from the sender to the recipient as long as there’s a liquid path from point A to B. Worst case scenario, the wallet can fall back to manually transferring funds from one chain to the other using slower (but always available) two-way pegs.

A network of sidechains like this is complementary to payment channel protocols such as the Lightning Network by providing the extra block space needed to onboard users, settle transactions, and penalize fraud, protecting the Lightning Network from flood-and-loot-style attacks. As a bonus, sidechain users get access to new functionality unlikely to be implemented on the bitcoin mainchain, such as more expressive smart contracts or e2e encrypted payments.

Sidechains aren’t the be-all-end-all answer to scalability. They are not without tradeoffs, and there are still scalability improvements to be gained by optimizing our use of block space on the mainchain. But sidechains do provide a solution to many of bitcoin’s scalability needs, and with a growing number of different implementations available for experimentation it’s possible that in the next decade we’ll go from wondering how bitcoin will scale to support billions of users around the world to wondering how we ever imagined scaling without sidechains.

---

Email is probably the most popular decentralized messaging protocol, and I expect it to be around for a while. Add yourself to my email contacts if you would like to stay in touch! I will never sell, rent, or share your email address.